tklengyel
commented
7 years ago To detect if the written breakpoint instruction is being read by the guest itself so that it can be hidden from it or if it is being overwritten.
Closed dongphuong2410 closed 7 years ago
tklengyel
commented
7 years ago To detect if the written breakpoint instruction is being read by the guest itself so that it can be hidden from it or if it is being overwritten.
Hello, I'm reading sourcecode of guestrace to understand how we can monitoring the syscalls, but there is one thing I couldn't figure out : when we set the trap for a syscall, why we need to set both the mem_event and the interrupt to the shadow page (like in the picture, source code is extracted from guestrace/src/trace-syscalls.c). In another way, is line 1173 necessary ? As far as I understand, just writing the interrupt (line 1194) is enough , is it right ?
I was considering posting this question to the libvmi google group, but the source code is here so maybe posting here is better :-?. I'm looking forward the the answer ..
Thank you.